Paxfire or How ISPs Hijack Traffic and Affiliate Commissions

On Monday, August 8, Pace Lattin of Performance Marketing Insider has drawn the industry’s attention to a lawsuit filed by Reese Richman LLP, the subject of which is “questionable and possibly illegal behavior … by hijacking search queries.” Pace wrote:

Using a technology by Paxfire, supposedly DNS redirects from searches on Bing, Yahoo and Google would lead consumers directly to the page of certain brand and credit the ISP’s affiliate account with any possible commissions. [more here]

Paxfire proudly proclaims itself to be the “proven industry leader in monetizing Address Bar Search and DNS Error traffic for Network Operators. Through our carrier-grade technology, we generate millions of dollars a month in new advertising revenue for our partners by enabling them to participate in the booming $20 billion a year search advertising market.”

In other words, what Paxfire does is it intercepts your searches. Then, if their proxy servers find a match in their advertising databases, they’ll send you top search results from their affiliate marketing programs rather than what your search engine would give you as the best results. [source]

Apparently, the four International Computer Science Institute (Berkely, CA) researchers — whose study reveled that around a dozen of ISPs were using the technology — have put together a blog post on the subject where they’ve mentioned the major affiliate networks that were affected (Commission Junction, LinkShare, and Google Affiliate Network), as well as two tools that affiliates should find of help in spotting traffic hijacking threats:

Why do they do this?

In short, the purpose appears to be monetization of users’ searches. ICSI Networking’s investigation has revealed that Paxfire’s http proxies selectively siphon search requests out of the proxied traffic flows and redirect them through one or more affiliate marketing programs, presumably resulting in commission payments to Paxfire and the ISPs involved. The affiliate programs involved include Commission Junction, the Google Affiliate Network, LinkShare, and Ask.com. When looking up brand names such as “apple”, “dell”, “groupon”, and “wsj”, the affiliate programs direct the queries to the corresponding brands’ websites or to search assistance pages instead of providing the intended search engine results page.

What can I do about it?

If you want to know if the network you’re currently on is subject to this type of traffic redirection, you can run a Netalyzr test. And the best protection against the privacy and security risks created by this type of hijacking is to visit sites using httpS rather than http, which can easily be achieved using EFF’s httpS Everywhere Firefox extension. [more here]

We had no knowledge of this reported activity until last week. At the time, Paxfire was in fact a publisher in the CJ network. We have taken immediate action — Paxfire has been deactivated pending further investigation, and we are continuing our investigation of this matter. [source]

Well, Paxfire is “deactivated”, but there are other similar players — and we’ve discussed this in comments under this 2009 post of mine — who cooperate with ISPs on very similar terms; and who are still active on major affiliate networks (e.g.: working with ISPs “replacing DNS and http errors with relevant advertising” [source]). This has been going on for years… Of course, the problem with Paxfire is different in the fact that they also have “an optional, unadvertised, and more alarming feature that drastically expands Paxfire’s window into users’ traffic” whereby “instead of activating only upon error, this product redirects the customers’ entire web search traffic destined for Yahoo!, Bing, and sometimes Google, to a small number of separate web traffic proxies.” [more here] Either way, whether another affiliate’s cookie gets overwritten in the process or not, together with the traffic affiliate commissions get “hijacked” as well.

Meanwhile, the above-quoted class-action lawsuit (against an ISP and Paxfire itself) is already filed; and we’ll keep monitoring the situation for you.